Skip to content

Commit

Permalink
2016-03-04 Version 0.10.43 (Maintenance) Release
Browse files Browse the repository at this point in the history
Notable changes:

* http_parser: Update to http-parser 1.2 to fix an unintentionally
  strict limitation of allowable header characters.
  (James M Snell) #5242
* domains:
  - Prevent an exit due to an exception being thrown rather than
  emitting an 'uncaughtException' event on the `process` object when
  no error handler is set on the domain within which an error is
  thrown and an 'uncaughtException' event listener is set on
  `process`. (Julien Gilli) #3887
  - Fix an issue where the process would not abort in the proper
  function call if an error is thrown within a domain with no error
  handler and `--abort-on-uncaught-exception` is used.
  (Julien Gilli) #3887
* openssl: Upgrade from 1.0.1r to 1.0.1s
  (Ben Noordhuis) #5508
  - Fix a double-free defect in parsing malformed DSA keys that may
    potentially be used for DoS or memory corruption attacks. It is
    likely to be very difficult to use this defect for a practical
    attack and is therefore considered low severity for Node.js users.
    More info is available at
    https://www.openssl.org/news/vulnerabilities.html#2016-0705
  - Fix a defect that can cause memory corruption in certain very rare
    cases relating to the internal `BN_hex2bn()` and `BN_dec2bn()`
    functions. It is believed that Node.js is not invoking the code
    paths that use these functions so practical attacks via Node.js
    using this defect are _unlikely_ to be possible. More info is
    available at
    https://www.openssl.org/news/vulnerabilities.html#2016-0797
  - Fix a defect that makes the CacheBleed Attack
    (https://ssrg.nicta.com.au/projects/TS/cachebleed/) possible.
    This defect enables attackers to execute side-channel attacks
    leading to the potential recovery of entire RSA private keys. It
    only affects the Intel Sandy Bridge (and possibly older)
    microarchitecture when using hyper-threading. Newer
    microarchitectures, including Haswell, are unaffected. More info
    is available at
    https://www.openssl.org/news/vulnerabilities.html#2016-0702
  - Remove SSLv2 support, the `--enable-ssl2` command line argument
    will now produce an error. The DROWN Attack
    (https://drownattack.com/) creates a vulnerability where SSLv2 is
    enabled by a server, even if a client connection is not using
    SSLv2. The SSLv2 protocol is widely considered unacceptably broken
    and should not be supported. More information is available at
    https://www.openssl.org/news/vulnerabilities.html#2016-0800

PR-URL: #5404
  • Loading branch information
rvagg committed Mar 4, 2016
1 parent 164157a commit 3123e9a
Show file tree
Hide file tree
Showing 2 changed files with 25 additions and 1 deletion.
24 changes: 24 additions & 0 deletions ChangeLog
Original file line number Diff line number Diff line change
@@ -1,3 +1,27 @@
2016-03-04, Version 0.10.43 (Maintenance), @rvagg

Notable changes:

* http_parser: Update to http-parser 1.2 to fix an unintentionally strict limitation of allowable header characters. (James M Snell) https://github.com/nodejs/node/pull/5242
* domains:
- Prevent an exit due to an exception being thrown rather than emitting an `'uncaughtException'` event on the `process` object when no error handler is set on the domain within which an error is thrown and an `'uncaughtException'` event listener is set on `process`. (Julien Gilli) https://github.com/nodejs/node/pull/3887
- Fix an issue where the process would not abort in the proper function call if an error is thrown within a domain with no error handler and `--abort-on-uncaught-exception` is used. (Julien Gilli) https://github.com/nodejs/node/pull/3887
* openssl: Upgrade from 1.0.1r to 1.0.1s (Ben Noordhuis) https://github.com/nodejs/node/pull/5508
- Fix a double-free defect in parsing malformed DSA keys that may potentially be used for DoS or memory corruption attacks. It is likely to be very difficult to use this defect for a practical attack and is therefore considered low severity for Node.js users. More info is available at https://www.openssl.org/news/vulnerabilities.html#2016-0705
- Fix a defect that can cause memory corruption in certain very rare cases relating to the internal `BN_hex2bn()` and `BN_dec2bn()` functions. It is believed that Node.js is not invoking the code paths that use these functions so practical attacks via Node.js using this defect are _unlikely_ to be possible. More info is available at https://www.openssl.org/news/vulnerabilities.html#2016-0797
- Fix a defect that makes the CacheBleed Attack (https://ssrg.nicta.com.au/projects/TS/cachebleed/) possible. This defect enables attackers to execute side-channel attacks leading to the potential recovery of entire RSA private keys. It only affects the Intel Sandy Bridge (and possibly older) microarchitecture when using hyper-threading. Newer microarchitectures, including Haswell, are unaffected. More info is available at https://www.openssl.org/news/vulnerabilities.html#2016-0702
- Remove SSLv2 support, the `--enable-ssl2` command line argument will now produce an error. The DROWN Attack (https://drownattack.com/) creates a vulnerability where SSLv2 is enabled by a server, even if a client connection is not using SSLv2. The SSLv2 protocol is widely considered unacceptably broken and should not be supported. More information is available at https://www.openssl.org/news/vulnerabilities.html#2016-0800

Commits:

* [164157abbb] - build: update Node.js logo on OSX installer (Rod Vagg) https://github.com/nodejs/node/pull/5401
* [f8cb0dcf67] - crypto,tls: remove SSLv2 support (Ben Noordhuis) https://github.com/nodejs/node/pull/5529
* [42ded2a590] - deps: upgrade openssl to 1.0.1s (Ben Noordhuis) https://github.com/nodejs/node/pull/5508
* [1e45a6111c] - deps: update http-parser to version 1.2 (James M Snell) https://github.com/nodejs/node/pull/5242
* [6db377b2f4] - doc: remove SSLv2 descriptions (Shigeki Ohtsu) https://github.com/nodejs/node/pull/5541
* [563c359f5c] - domains: fix handling of uncaught exceptions (Julien Gilli) https://github.com/nodejs/node/pull/3887
* [e483f3fd26] - test: fix hanging http obstext test (Ben Noordhuis) https://github.com/nodejs/node/pull/5511

2016-02-09, Version 0.10.42 (Maintenance), @jasnell

This is an important security release. All Node.js users should consult the security release summary at nodejs.org for details on patched vulnerabilities.
Expand Down
2 changes: 1 addition & 1 deletion src/node_version.h
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@
#define NODE_MINOR_VERSION 10
#define NODE_PATCH_VERSION 43

#define NODE_VERSION_IS_RELEASE 0
#define NODE_VERSION_IS_RELEASE 1

#ifndef NODE_STRINGIFY
#define NODE_STRINGIFY(n) NODE_STRINGIFY_HELPER(n)
Expand Down

0 comments on commit 3123e9a

Please sign in to comment.